Add reproducible.archlinux.org instance
Create a new VPS for running the master rebuilderd daemon which coordinates the rebuild tasks to rebuilderd ndoes. Signed-off-by: Jelle van der Waa <jelle@vdwaa.nl>
This commit is contained in:
parent
689f0986e8
commit
f9e3e52063
9 changed files with 130 additions and 0 deletions
12
group_vars/all/vault_rebuilderd.yml
Normal file
12
group_vars/all/vault_rebuilderd.yml
Normal file
|
@ -0,0 +1,12 @@
|
|||
$ANSIBLE_VAULT;1.1;AES256
|
||||
37393734383433333465653531663339353262306139633039636566343235626335643030326135
|
||||
3730303732663531393832666337383339306531306663320a313030613462376261623037316461
|
||||
33313336653037623964346131323436373331393932306338326463653932643038333436663834
|
||||
6666343266343738310a366666326464326338656435363263633834616431636237653134356232
|
||||
32323466613738633663313232653661363832643766363763303439373732306435643364386365
|
||||
39666330646564346637313263623430363562646535383264633435353363396662363834353130
|
||||
30356661333537336139303362366537616330656636666336356332333130656635333565333835
|
||||
64303837653965336535316263346466356264653566383130303434663930333832633634336163
|
||||
30336131656666663563633936356465326135386265373761646161646133393534346535363332
|
||||
31663339613166353964343864626231316332373433323266393037376462316439353936326638
|
||||
623866663534303733323366323465616665
|
11
host_vars/reproducible.archlinux.org
Normal file
11
host_vars/reproducible.archlinux.org
Normal file
|
@ -0,0 +1,11 @@
|
|||
---
|
||||
|
||||
filesystem: btrfs
|
||||
zabbix_agent_templates:
|
||||
- Template OS Linux
|
||||
- Template App Borg Backup
|
||||
- Template App HTTP Service
|
||||
- Template App HTTPS Service
|
||||
|
||||
fail2ban_jails:
|
||||
sshd: true
|
2
hosts
2
hosts
|
@ -76,3 +76,5 @@ repro2.pkgbuild.com
|
|||
|
||||
[memcached]
|
||||
apollo.archlinux.org
|
||||
|
||||
reproducible.archlinux.org
|
||||
|
|
16
playbooks/reproducible.archlinux.org.yml
Normal file
16
playbooks/reproducible.archlinux.org.yml
Normal file
|
@ -0,0 +1,16 @@
|
|||
---
|
||||
|
||||
- name: setup reproducible builds rebuilder
|
||||
hosts: reproducible.archlinux.org
|
||||
remote_user: root
|
||||
roles:
|
||||
- { role: common }
|
||||
- { role: tools }
|
||||
- { role: firewalld }
|
||||
- { role: sshd }
|
||||
- { role: unbound }
|
||||
- { role: root_ssh }
|
||||
- { role: borg-client, tags: ["borg"] }
|
||||
- { role: certbot }
|
||||
- { role: nginx }
|
||||
- { role: rebuilderd }
|
2
roles/rebuilderd/defaults/main.yml
Normal file
2
roles/rebuilderd/defaults/main.yml
Normal file
|
@ -0,0 +1,2 @@
|
|||
rebuilderd_domain: reproducible.archlinux.org
|
||||
rebuilderd_nginx_conf: /etc/nginx/nginx.d/rebuilderd.conf
|
32
roles/rebuilderd/tasks/main.yml
Normal file
32
roles/rebuilderd/tasks/main.yml
Normal file
|
@ -0,0 +1,32 @@
|
|||
- name: install required packages
|
||||
pacman: name=rebuilderd state=present
|
||||
|
||||
# TODO: remove when repro is released with https://github.com/archlinux/archlinux-repro/pull/73
|
||||
- name: import bootstrap gpg key
|
||||
command: gpg --auto-key-locate nodefault,wkd --locate-keys pierre@archlinux.de
|
||||
|
||||
- name: create ssl cert
|
||||
command: certbot certonly --email webmaster@archlinux.org --agree-tos --rsa-key-size 4096 --renew-by-default --webroot -w {{ letsencrypt_validation_dir }} -d '{{ rebuilderd_domain }}' creates='/etc/letsencrypt/live/{{ rebuilderd_domain }}/fullchain.pem'
|
||||
when: 'rebuilderd_domain is defined'
|
||||
|
||||
- name: configure rebuilderd.conf
|
||||
template: src=rebuilderd.conf.j2 dest=/etc/rebuilderd.conf owner=rebuilderd group=rebuilderd mode=0660
|
||||
|
||||
- name: configure rebuilderd-sync.conf
|
||||
template: src=rebuilderd-sync.conf.j2 dest=/etc/rebuilderd-sync.conf owner=rebuilderd group=rebuilderd mode=0660
|
||||
|
||||
- name: make nginx log dir
|
||||
file: path=/var/log/nginx/{{ rebuilderd_domain }} state=directory owner=root group=root mode=0755
|
||||
|
||||
- name: set up nginx
|
||||
template: src=nginx.d.conf.j2 dest=/etc/nginx/nginx.d/rebuilderd.conf owner=root group=root mode=0644
|
||||
notify:
|
||||
- reload nginx
|
||||
when: 'rebuilderd_domain is defined'
|
||||
tags: ['nginx']
|
||||
|
||||
- name: enable and start rebuilderd
|
||||
systemd: name=rebuilderd enabled=yes state=started
|
||||
|
||||
- name: enable and start rebuilderd timer
|
||||
systemd: name=rebuilderd-sync@archlinux-core.timer enabled=yes state=started
|
38
roles/rebuilderd/templates/nginx.d.conf.j2
Normal file
38
roles/rebuilderd/templates/nginx.d.conf.j2
Normal file
|
@ -0,0 +1,38 @@
|
|||
server {
|
||||
listen 80;
|
||||
listen [::]:80;
|
||||
server_name {{ rebuilderd_domain }};
|
||||
|
||||
access_log /var/log/nginx/{{ rebuilderd_domain }}/access.log reduced;
|
||||
error_log /var/log/nginx/{{ rebuilderd_domain }}/error.log;
|
||||
|
||||
include snippets/letsencrypt.conf;
|
||||
|
||||
location / {
|
||||
access_log off;
|
||||
return 301 https://$server_name$request_uri;
|
||||
}
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl http2;
|
||||
listen [::]:443 ssl http2;
|
||||
server_name {{ rebuilderd_domain }};
|
||||
|
||||
access_log /var/log/nginx/{{ rebuilderd_domain }}/access.log reduced;
|
||||
error_log /var/log/nginx/{{ rebuilderd_domain }}/error.log;
|
||||
|
||||
ssl_certificate /etc/letsencrypt/live/{{ rebuilderd_domain }}/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/{{ rebuilderd_domain }}/privkey.pem;
|
||||
ssl_trusted_certificate /etc/letsencrypt/live/{{ rebuilderd_domain }}/chain.pem;
|
||||
|
||||
location /api {
|
||||
proxy_pass http://127.0.0.1:8080;
|
||||
}
|
||||
|
||||
location / {
|
||||
access_log off;
|
||||
default_type text/plain;
|
||||
return 200 'Arch Linux Rebuilderd Instance https://wiki.archlinux.org/index.php/Rebuilderd';
|
||||
}
|
||||
}
|
6
roles/rebuilderd/templates/rebuilderd-sync.conf.j2
Normal file
6
roles/rebuilderd/templates/rebuilderd-sync.conf.j2
Normal file
|
@ -0,0 +1,6 @@
|
|||
[profile."archlinux-core"]
|
||||
distro = "archlinux"
|
||||
suite = "core"
|
||||
architecture = "x86_64"
|
||||
source = "https://mirror.pkgbuild.com/core/os/x86_64/core.db"
|
||||
excludes = ["gcc*"]
|
11
roles/rebuilderd/templates/rebuilderd.conf.j2
Normal file
11
roles/rebuilderd/templates/rebuilderd.conf.j2
Normal file
|
@ -0,0 +1,11 @@
|
|||
[http]
|
||||
# it is highly recommended to bind to localhost and setup nginx as a reverse proxy for https
|
||||
bind_addr = "127.0.0.1:8080"
|
||||
|
||||
[auth]
|
||||
# set the generated secret for administration here
|
||||
#cookie = "{{ vault_rebuilderd_auth_cookie }}"
|
||||
|
||||
[worker]
|
||||
# set the generated secret for our workers here
|
||||
signup_secret = "{{ vault_rebuilderd_signup_secret }}"
|
Loading…
Reference in a new issue